To start PingAuthorize Policy Editor, use the bin/start-server command.

$ bin/start-server

You can run bin/start-server manually from the command line or within a script.

Overriding the configuration at startup

You can override a number of Policy Editor settings by defining specific environment variables before starting the server. By overriding some of the configuration, you can redefine certain aspects of the configuration without re-running the setup tool.

To override the configuration, stop the Policy Editor, define one or more of the environment variables, and restart the Policy Editor.

Environment variables you can use to override configuration variables

The following table lists the environment variables that you can define, sorted based on expected frequency of use with related variables grouped together.

Environment variable Example value Description


The Policy Editor hostname and port.

PingAuthorize uses this value to construct AJAX requests.

The port value must match the value of PING_PORT for web browsers to pass cross-origin resource sharing (CORS) checks.



The Policy Editor HTTPS port.

The server binds to this listen port.



The Policy Editor’s key store type. Valid values include JKS and PKCS12.



The path to the Policy Editor’s key store.



The path to the Policy Editor's key store PIN file. When present, this environment variable takes precedence over PING_KEYSTORE_PASSWORD when validating and presenting the server certificate. The key store PIN value itself does not persist to the configuration.yml file and is not visible on the command-line. For a more complete example, see the Demo mode (custom SSL certificate) tab of Installing the PingAuthorize Policy Editor non-interactively.



The Policy Editor’s key store password.



The alias for the Policy Editor’s server certificate.



The Policy Editor’s shared secret, which PingAuthorize Server needs to make policy requests to the Policy Editor.


The OpenID Connect (OIDC) provider’s discovery URL. Used when the Policy Editor is set up in OIDC mode.


openid email profile additional_scope

Space-separated OIDC scopes that the Policy Editor requests during authorization and validates during token verification. Used to override the requested OIDC scopes configured during server setup.



The OIDC Transport Layer Security (TLS) validation setting. Set to NONE to configure the Policy Editor to accept self-signed SSL certificates from the OIDC provider and skip hostname verification.

Used when the Policy Editor is set up in OIDC mode. For non-production use only.



The Policy Editor’s client ID with the OIDC provider. Used when the Policy Editor is set up in OIDC mode.


admin, user1, user2

Used in demo mode. A comma-separated list of usernames accepted by the Policy Editor for sign on.



The path to the policy database H2 file.

Leave off the .mv.db extension.



The username the application uses to access the server database.



The password the application uses to access the server database.



The username the setup tool uses when upgrading the policy database (H2 only).



The password the setup tool uses when upgrading the policy database (H2 only).



The path to an options.yml file to use with the Policy Editor's setup tool.



The admin port where the H2 database backup endpoint is available.

The policy administration point (PAP) uses this endpoint to back up the H2 database, which stores your Trust Framework, policies, commit history, and other data.

Related environment variables: PING_BACKUP_SCHEDULE, PING_H2_BACKUP_DIR


0 0 0 * * ?

The periodic database backup schedule for the Policy Editor (also known as the PAP) in the form of a cron expression.


The PAP evaluates the expression against the system timezone. For the PingAuthorize Docker images, the default timezone is UTC.

The default is 0 0 0 * * ?, which is midnight every day.

For more information, see Quartz 2.3.0 cron format.

Related environment variables: PING_ADMIN_PORT, PING_H2_BACKUP_DIR



The directory in which to place the H2 database backup files.

The default is SERVER_ROOT/policy-backup.

Related environment variables: PING_ADMIN_PORT, PING_BACKUP_SCHEDULE



Controls the API HTTP caching feature for the run-time instance of the server. APIs are cached by default.

Provide this environment variable at run time and set it to false to disable API HTTP caching for that server instance.



Determines whether PingAuthorize performs SNI hostname checks. By default, these checks are disabled.

Example: Use an existing SSL certificate for HTTPS connections

This example shows how to provide the environment variables necessary for the Policy Editor to present a different SSL certificate than the one configured during setup:

env PING_CERT_ALIAS=<certificate-nickname> \
PING_KEYSTORE_PATH=<path-to-keystore-file> \
KEYSTORE_PIN_FILE=<path-to-keystore-pin-file> \

Example: Override the configured HTTPS port

In this example, the Policy Editor is started using an HTTPS port that differs from the value configured during installation. The override requires two environment variables: PING_PORT and PING_EXTERNAL_BASE_URL.

$ bin/stop-server
$ export PING_PORT=9443; bin/start-server

Example: Override the configured policy database location

This example changes the policy database location. The new value must be a policy server Java database connectivity (JDBC) connection string for an H2 embedded database. To use a file located at /opt/shared/, use the following commands:

$ bin/stop-server
$ export PING_H2_FILE=/opt/shared/Symphonic
$ bin/setup demo {ADDITIONAL_ARGUMENTS} && bin/start-server

Even though the actual filename of the policy database includes the extension .mv.db, the JDBC connection string excludes the extension.

If /opt/shared/ does not exist, setup creates a new one. If the file does exist and is from an older PingAuthorize server, setup updates the file to the latest version.

Troubleshooting startup errors

The bin/start-server command prints an error message if it detects that an error has occurred during startup. For more information about the error, see the logs/authorize-pe.log and logs/start-server.log files.